Nomad's $190 million bridge exploit drew hacking feeding frenzy of 300 addresses

Quick Take

  • Security firm PeckShield told The Block that more than 300 addresses were tied to Nomad’s bridge exploit on Monday.
  • These addresses collectively stole $190 million by exploiting a vulnerability in the Nomad’s smart contract.

While most crypto hacks are caused by lone wolves, Monday's $190 million exploit of the Nomad cross-bridge appears to have been driven by a feeding frenzy of hundreds of bad actors. 

Nomad’s cross-chain bridge was hacked for $190 million in various crypto assets yesterday after a software update exposed a critical vulnerability that allowed anyone to drain funds from the bridge. 

The vulnerability was initially discovered on Monday by an unknown hacker who quickly stole nearly $95 million, blockchain security firm PeckShield told The Block today. As the news of the initial exploit spread in crypto circles, others rushed to join the original hacker to take money for themselves. 

PeckShield told The Block that more than 300 addresses had taken funds from Nomad over the course of an hour. The firm estimated that 41 of them took $152 million, equivalent to 80% of the stolen funds from Nomad’s cross-chain bridge.

However, not all of them were bad actors. PeckShield’s analysis found at least six addresses that were white hackers, a name given to ethical hackers, who grabbed about $8.2 million from the bridge. They are expected to return the funds.

Nomad is a cross-chain bridge, a tool that lets users move ERC-20 tokens among Ethereum, Moonbeam, Evmos and Avalanche. It is one of the several bridge services available in the crypto space.

What went wrong

According to PeckShield, the vulnerability was introduced by Nomad developers during a smart contract update. The bug came from the developers erroneously modifying the bridge’s smart contract and deploying the code without proper audit.

"The Nomad bridge hack is made possible due to an improper initialization leading to the zero address (0x00) being marked as a trusted root, which led to every message being proven valid by default,” PeckShield said. 

Marking 0x00 (also called as the zero address) the trusted root accidentally turned off a smart contract check that ensured withdrawals were made to valid addresses only.

After the vulnerability was introduced in Nomad's code, withdrawal requests from any address were considered as valid by default. This meant that anyone could withdraw funds from the bridge if they wanted.

The exploit didn't require advanced technical knowledge of smart contracts. All one had to do was simply edit the hacker's transaction with Etherscan, replace the destination address with their own address and make the withdrawal request on the Nomad bridge. 

© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.